In our previous post we outlined the key issues regarding mHealth devices and services from a privacy law perspective. Now, we go further into the details and discuss the scope of the personal data involved, especially relating to sensitive health data. We introduce the relevant statutory requirements in the EU and the legal opinions of the Article 29 Working Party and the European Data Protection Supervisor as well as having a look at the upcoming European General Data Protection Regulation. Against this legal background, one core question we will examine is whether information collected and processed by lifestyle apps and devices must be classified as health data and fall under the strict requirements of European data protection laws. Continue Reading
Thank you to everyone who participated in today’s webinar “Safe Harbor Invalidated – What Next?”, in which we analyzed the implications of yesterday’s decision by the Court of Justice of the European Union invalidating the EU-U.S. Safe Harbor Framework. In the webinar, we explored:
- What is the status of data transfers currently being legitimized by Safe Harbor?
- What alternative options are available for Safe Harbor members to lawfully receive data from Europe?
- What steps must Safe Harbor members take to transition to those other options?
- What are Safe Harbor members required to do with EU data already in the U.S.?
- How should companies respond to enquiries from EU clients and regulators concerned about the lack of a lawful basis for transfers?
To access the a copy of the slide deck, click here.
To access the recorded webinar (1 hr 6 mins), click here.
Stay tuned to the blog for future updates , including any interpretations or next-steps guidance from the European data protection authorities, the U.S. Department of Commerce, or the Federal Trade Commission.
On 6 October 2015, the Court of Justice of the European Union (CJEU) declared the EU-US Safe Harbor framework invalid as a mechanism to legitimize transfers of personal data from the EU to the US. This decision effectively leaves any organisation that relied on Safe Harbor exposed to claims that such data transfers are unlawful.
Safe Harbor was jointly devised by the European Commission and the U.S. Department of Commerce as a framework that would allow US-based organisations to overcome the restrictions on transfers of personal data from the EU. Following a dispute between Austrian law student Max Schrems and the Irish Data Protection Commissioner, the CJEU was asked to consider whether a data protection supervisory authority was bound by the European Commission’s decision that Safe Harbor provided an adequate level of protection for European data.
In its ruling, the CJEU goes beyond this specific question and takes the view that Safe Harbor does not in fact provide an adequate level of data protection, because it is unable to prevent large-scale access by the U.S. intelligence authorities to data transferred from Europe.
What is the practical effect of the decision?
The decision invalidating Safe Harbor has the following consequences: Continue Reading
Next Tuesday, the Court of Justice of the European Union (CJEU) is scheduled to publish its decision in Maximillian Schrems v. Data Protection Commissioner, in which it is expected to rule on the validity of the U.S.-EU Safe Harbor Framework. Last week’s opinion of the CJEU’s Advocate General emphatically found Safe Harbor to be inadequate under EU law on the basis that access to Safe Harbor data by U.S. intelligence services is too wide and disproportionate, and that Safe Harbor does not contain appropriate guarantees to prevent this level of access. While the AG’s opinion is not binding on the CJEU, the short turn-around implies that the CJEU will not vary significantly from the opinion. Continue Reading
The HHS Office for Civil Rights (OCR) needs to improve and expand its health privacy and data breach enforcement efforts. This was the message delivered by the September 29 release of twin reports by the U.S. Department of Health and Human Services Office of Inspector General (OIG) that assessed OCR’s enforcement of federal health privacy laws. The studies were commissioned out of concern that the failure to adequately safeguard health information can expose large numbers of patients “to privacy invasion, fraud, identity theft, and/or other harm.” The enforcement of the HIPAA privacy laws in the U.S. are viewed as critical to ensuring that vulnerabilities that can lead to data breaches and potential harm to patients are addressed. Continue Reading
We are very proud to report that today, the International Association of Privacy Professionals (IAPP) awarded our very own Chris Wolf with its Privacy Vanguard Award, provided to an individual who has shown exceptional leadership, knowledge and creativity in the field of privacy and data protection.
Known as a “dean of the industry,” Chris helped break the path for privacy law as its own discipline when the early days of the Internet and related technologies made clear that existing laws were becoming quickly outdated. He originated and edited the first privacy law treatise published by the Practising Law Institute and has written and lectured widely on the subject of privacy law, including co-editing the PLI book, “A Practical Guide to the Red Flag rules,” testifying before Congress and the Privacy and Civil Liberties Oversight Board, and serving on the OECD group advising on the OECD Privacy Guidelines. Over the years, Chris has advised and shaped thinking on many leading-edge issues including Internet free speech, Internet hate speech (co-authoring “Viral Hate: Containing its Spread on the Internet”), and the parameters of government access to stored information. Continue Reading
On September 11, 2015, the Federal Communications Commission (FCC) Enforcement Bureau issued citations to F.N.B. Corporation (First National Bank or FNB) and Lyft, Inc. (Lyft), a ride-sharing service, for Telephone Consumer Protect Act (TCPA) violations pertaining to the marketing rules. Continue Reading
The National Institute of Standards and Technology (NIST) released the draft Framework for Cyber-Physical Systems on September 18. The Framework is intended to serve as a common blueprint for the development of safe, secure, and interoperable systems as varied as smart energy grids, wearable devices, and connected cars. The NIST Cyber-Physical Systems Public Working Group (CPS PWG) developed the draft document over the past year with input from several hundred experts from industry, academia, and government. NIST will be accepting public comment on the draft for the next 45 days. Continue Reading
The Opinion of the Advocate General (AG) of the Court of Justice of the European Union (CJEU) on the case assessing the status and validity of Safe Harbor has created significant uncertainty relating to its immediate future. While the CJEU has not yet ruled, the AG’s decisions are typically quite influential. The AG’s view is that the Safe Harbor program does not provide an adequate level of data protection and that it should have already been invalidated by the European Commission.
Safe Harbor was the end result of several years of negotiations during the late ’90s between the European Commission and the U.S. Department of Commerce to create a self-regulatory framework that would allow U.S.-based organisations to overcome the restrictions on transfers of personal data from the EU.
On 1 September 2015, Russia’s much anticipated data localization law came into force. In recent interviews with European CEO and The Financial Times, Natalia Gulyaeva, partner in Hogan Lovells’ Moscow office, highlighted some key elements for multinationals to consider when doing business in Russia. In the interviews, Natalia explains that Roskomnadzor is not likely to conduct compliance audits on large multinational companies for some time and will allow for the transfer of data out of Russia as long as the primary database is inside Russia. She also highlights that because Russia’s definition of “personal data” is very broad, a prudent course of action is for companies to treat all information used to assist in the identification of individuals as “personal data.”